Project·Public

Postiz App

Report a vulnerability All advisories

/gitroomhq/postiz/postiz-app

Published advisories

Medium
PSA-2026-04-M1S0· April 28, 2026
TOCTOU DNS rebinding bypasses all SSRF URL validation paths
TOCTOU DNS rebinding bypasses all SSRF URL validation paths
High
PSA-2026-T0E4W0· April 27, 2026
Postiz stored XSS in public preview page
Postiz stored XSS in public preview page
Critical
PSA-2026-04-1YDY· April 24, 2026
Arbitrary Code Execution and Token Exfiltration in pr-docker-build.yml via untrusted Dockerfile.dev
High
PSA-2026-04-6EZ5· April 22, 2026
Server-Side Request Forgery via Redirect Bypass in /api/public/stream
Server-Side Request Forgery via Redirect Bypass in /api/public/stream
Critical
PSA-2026-04-5MVG· April 19, 2026
Unrestricted File Upload via MIME Type Spoofing Leads to Stored XSS
Unrestricted File Upload via MIME Type Spoofing Leads to Stored XSS
Medium
PSA-2026-04-HVBM· April 19, 2026
SSRF via Webhook Creation Endpoint Missing URL Safety Validation
SSRF via Webhook Creation Endpoint Missing URL Safety Validation
Medium
PSA-2026-04-KT4W· April 19, 2026
SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata
SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata
High
PSA-2026-04-422G· April 19, 2026
Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check
Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check
High
PSA-2026-04-SRGA· April 19, 2026
High-Severity SSRF in Postiz App
High-Severity SSRF in Postiz App
High
PSA-2026-04-ZR1M· April 19, 2026
Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader (CWE-918)
Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader (CWE-918)
High
PSA-2026-04-PY6V· April 19, 2026
Header mutation in middleware facilitates SSRF
Header mutation in middleware facilitates SSRF